Hello,
I have the following network topology, where there are two offices, and the traffic of the office 1 (R1) passes through VPN to the office 2 (R2).
In office 1 there are two WAN connections, where WAN1 is main and WAN2 is backup.
When WAN1 goes down, the VPN goes to WAN2, as desired!
However, when WAN1 is available again, the VPN does not return to WAN1 ...
What to do to reverse this situation?
Re: VPN
I assume R1 main and backup connections does not share ip's.
My approach in such case would be to make sure router at R2 would be the one to initiate the connection.
At R2 I would create a set of netwatch entries:
- Netwatch1: ip=[a lan ip at R1] OnDown=/system script run StabilityCheck
- Netwatch2: ip=[R1.main.public.ip] OnDown=/system script run StabilityCheck OnUp=/system script run StabilityCheck
- Netwatch3: ip=[R1.backup.public.ip] OnDown=/system script run StabilityCheck
I would create scripts like these:
StabilityCheck
VpnMainInitiate
VpnBackupInitiate
Scheduler VpnCheck: /system script run StabilityCheck
Point is: If connection inside vpn or to any of the R1 public ip's drop, check with ping which ip at R1 is the most stable and connect using that ip. If connection fails, or backup connection becomes the active one, enable a scheduler that will repeat the check every so often. If the main connection becomes the active one, wait for netWatch to trigger any recheck.
My approach in such case would be to make sure router at R2 would be the one to initiate the connection.
At R2 I would create a set of netwatch entries:
- Netwatch1: ip=[a lan ip at R1] OnDown=/system script run StabilityCheck
- Netwatch2: ip=[R1.main.public.ip] OnDown=/system script run StabilityCheck OnUp=/system script run StabilityCheck
- Netwatch3: ip=[R1.backup.public.ip] OnDown=/system script run StabilityCheck
I would create scripts like these:
StabilityCheck
Code: Select all
send x pings to R1.main.public.ip
send x pings to R1.backup.public.ip
analyse the ping response and decide which connection is the prefered
run script VpnMainInitiate or VpnBackupInitiate depending on which is prefered
/system scheduler disable initStabilityCheck
Code: Select all
If mainVpn is disabled {
disable backupvpn
enable mainvpn
disable Netwatch3
}
if vpn is up {
disable Netwatch2
enable Netwatch1
disable scheduler VpnCheck
}
else
{
enable Netwatch3
enable Netwatch2
disable Netwatch1
}
}
Code: Select all
If backupVpn is disabled {
disable mainvpn
enable backupvpn
disable Netwatch3
enable Netwatch2
}
if vpn is up {
disable Netwatch2
enable Netwatch1
enable scheduler VpnCheck
}
else
{
enable Netwatch3
enable Netwatch2
disable Netwatch1
}
}
Point is: If connection inside vpn or to any of the R1 public ip's drop, check with ping which ip at R1 is the most stable and connect using that ip. If connection fails, or backup connection becomes the active one, enable a scheduler that will repeat the check every so often. If the main connection becomes the active one, wait for netWatch to trigger any recheck.
Re: VPN
Hello,
After a search on MikrotiK, I discovered a failover script.
I made some changes, adding a VPN, and it worked.
After a search on MikrotiK, I discovered a failover script.
I made some changes, adding a VPN, and it worked.
Code: Select all
# ------------- start editing here -------------
# Edit the variables below to suit your needs
# Please fill the WAN interface names
:local InterfaceISP1 ether5
:local InterfaceISP2 ether6
#name l2tp
:local namevpn l2tp-r3
# Please fill the gateway IPs (or interface names in case of PPP)
:local GatewayISP1 X.X.X.X
:local GatewayISP2 Y.Y.Y.Y
# Please fill the ping check host - currently: resolver1.opendns.com
:local PingTarget Z.Z.Z.Z
# Please fill how many ping failures are allowed before fail-over happends
:local FailTreshold 3
# Define the distance increase of a route when it fails
:local DistanceIncrease 20
# Editing the script after this point may break it
# -------------- stop editing here --------------
# Declare the global variables
:global PingFailCountISP1
:global PingFailCountISP2
# This inicializes the PingFailCount variables, in case this is the 1st time the script has ran
:if ([:typeof $PingFailCountISP1] = "nothing") do={:set PingFailCountISP1 0}
:if ([:typeof $PingFailCountISP2] = "nothing") do={:set PingFailCountISP2 0}
# This variable will be used to keep results of individual ping attempts
:local PingResult
# Check ISP1
:set PingResult [ping $PingTarget count=1 interface=$InterfaceISP1]
:put $PingResult
:if ($PingResult = 0) do={
:if ($PingFailCountISP1 < ($FailTreshold+2)) do={
:set PingFailCountISP1 ($PingFailCountISP1 + 1)
:if ($PingFailCountISP1 = $FailTreshold) do={
:log warning "ISP1 has a problem en route to $PingTarget - increasing distance of routes."
:foreach i in=[/ip route find gateway=$GatewayISP1 && static] do=\
{/ip route set $i distance=([/ip route get $i distance] + $DistanceIncrease)}
:log warning "Route distance increase finished."
#Edit l2tp
:foreach i in=[/interface l2tp-client find name=$namevpn] do=\
{/interface l2tp-client set $i disabled=yes
/interface l2tp-client set $i disabled=no}
:log warning "L2tp change gateway."
}
}
}
:if ($PingResult = 1) do={
:if ($PingFailCountISP1 > 0) do={
:set PingFailCountISP1 ($PingFailCountISP1 - 1)
:if ($PingFailCountISP1 = ($FailTreshold -1)) do={
:log warning "ISP1 can reach $PingTarget again - bringing back original distance of routes."
:foreach i in=[/ip route find gateway=$GatewayISP1 && static] do=\
{/ip route set $i distance=([/ip route get $i distance] - $DistanceIncrease)}
:log warning "Route distance decrease finished."
#Edit l2tp
:foreach i in=[/interface l2tp-client find name=$namevpn] do=\
{/interface l2tp-client set $i disabled=yes
/interface l2tp-client set $i disabled=no}
:log warning "L2tp change gateway."
}
}
}
# Check ISP2
:set PingResult [ping $PingTarget count=1 interface=$InterfaceISP2]
:put $PingResult
:if ($PingResult = 0) do={
:if ($PingFailCountISP2 < ($FailTreshold+2)) do={
:set PingFailCountISP2 ($PingFailCountISP2 + 1)
:if ($PingFailCountISP2 = $FailTreshold) do={
:log warning "ISP2 has a problem en route to $PingTarget - increasing distance of routes."
:foreach i in=[/ip route find gateway=$GatewayISP2 && static] do=\
{/ip route set $i distance=([/ip route get $i distance] + $DistanceIncrease)}
:log warning "Route distance increase finished."
}
}
}
:if ($PingResult = 1) do={
:if ($PingFailCountISP2 > 0) do={
:set PingFailCountISP2 ($PingFailCountISP2 - 1)
:if ($PingFailCountISP2 = ($FailTreshold -1)) do={
:log warning "ISP2 can reach $PingTarget again - bringing back original distance of routes."
:foreach i in=[/ip route find gateway=$GatewayISP2 && static] do=\
{/ip route set $i distance=([/ip route get $i distance] - $DistanceIncrease)}
:log warning "Route distance decrease finished."
}
}
}
Last edited by DiogoT on Wed Mar 22, 2017 1:47 pm, edited 2 times in total.
Re: VPN
I assume R1 main and backup connections does not share ip's.
My approach in such case would be to make sure router at R2 would be the one to initiate the connection.
At R2 I would create a set of netwatch entries:
- Netwatch1: ip=[a lan ip at R1] OnDown=/system script run StabilityCheck
- Netwatch2: ip=[R1.main.public.ip] OnDown=/system script run StabilityCheck OnUp=/system script run StabilityCheck
- Netwatch3: ip=[R1.backup.public.ip] OnDown=/system script run StabilityCheck
I would create scripts like these:
StabilityCheckVpnMainInitiateCode: Select allsend x pings to R1.main.public.ip send x pings to R1.backup.public.ip analyse the ping response and decide which connection is the prefered run script VpnMainInitiate or VpnBackupInitiate depending on which is prefered /system scheduler disable initStabilityCheckVpnBackupInitiateCode: Select allIf mainVpn is disabled { disable backupvpn enable mainvpn disable Netwatch3 } if vpn is up { disable Netwatch2 enable Netwatch1 disable scheduler VpnCheck } else { enable Netwatch3 enable Netwatch2 disable Netwatch1 } }Scheduler VpnCheck: /system script run StabilityCheckCode: Select allIf backupVpn is disabled { disable mainvpn enable backupvpn disable Netwatch3 enable Netwatch2 } if vpn is up { disable Netwatch2 enable Netwatch1 enable scheduler VpnCheck } else { enable Netwatch3 enable Netwatch2 disable Netwatch1 } }
Point is: If connection inside vpn or to any of the R1 public ip's drop, check with ping which ip at R1 is the most stable and connect using that ip. If connection fails, or backup connection becomes the active one, enable a scheduler that will repeat the check every so often. If the main connection becomes the active one, wait for netWatch to trigger any recheck.
Thanks! However I only have access R1, so, I implemented a new solution.